[clo-devel] Re: Please upload your public GPG key to common-lisp.net
anthony at ventimiglia.org
Tue Nov 11 00:14:47 UTC 2003
Erik Enge writes:
> Once the package has been signed, the user can then download the
> package pluss the author's public key and verify that the public key
> at hand signed the package he or she just downloaded.
> The weak link is of course that the user doesn't know if the public
> key is the author's or not. Here's where our signing policy comes
> into play. When developers apply for a project at common-lisp.net
> they receive their passwords encrypted (by mail) and if they
> successfully decrypt and answer the email, their public key will be
> signed by the common-lisp.net keymaster. Thus, the users will have a
> means of verifying that they have the correct key.
Sounds great, how will we handle signing of those of us that are
already members ?
More information about the clo-devel